CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 39 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-11369 | Cri | 0.64 | 9.8 | 0.01 | May 22, 2018 | An issue was discovered in PbootCMS v1.0.9. There is a SQL Injection that can get important information from the database via the \apps\home\controller\ParserController.php scode parameter. | ||
| CVE-2018-10759 | Cri | 0.64 | 9.8 | 0.02 | May 16, 2018 | PHP remote file inclusion vulnerability in public/patch/patch.php in Project Pier 0.8.8 and earlier allows remote attackers to execute arbitrary commands or SQL statements via the id parameter. | ||
| CVE-2018-11032 | Cri | 0.64 | 9.8 | 0.01 | May 14, 2018 | PHPRAP 1.0.4 through 1.0.8 has SQL Injection via the application/home/controller/project.php search() function. | ||
| CVE-2018-8824 | Cri | 0.64 | 9.8 | 0.01 | May 10, 2018 | modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter. | ||
| CVE-2017-17902 | Cri | 0.64 | 9.8 | 0.01 | Apr 22, 2018 | SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of a new story at the pligg/story.php?title= URI. | ||
| CVE-2018-10284 | Cri | 0.64 | 9.8 | 0.01 | Apr 21, 2018 | Adaltech G-Ticket v70 EME104 has SQL Injection via the mobile-loja/mensagem.asp eve_cod parameter. | ||
| CVE-2018-10283 | Cri | 0.64 | 9.8 | 0.01 | Apr 21, 2018 | CliqueMania loja virtual 14 has SQL Injection via the patch/remote.php id parameter in a recomendar action. | ||
| CVE-2018-1290 | Cri | 0.64 | 9.8 | 0.03 | Apr 20, 2018 | In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and… | ||
| CVE-2018-10225 | — | Cri | 0.64 | 9.8 | 0.01 | Apr 19, 2018 | thinkphp 3.1.3 has SQL Injection via the index.php s parameter. | |
| CVE-2018-9924 | Cri | 0.64 | 9.8 | 0.01 | Apr 10, 2018 | An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request. | ||
| CVE-2018-9309 | Cri | 0.64 | 9.8 | 0.02 | Apr 5, 2018 | An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request. | ||
| CVE-2018-9247 | Cri | 0.64 | 9.8 | 0.02 | Apr 4, 2018 | The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then… | ||
| CVE-2014-4959 | Cri | 0.64 | 9.8 | 0.02 | Mar 27, 2018 | **DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the SQLi Api in Android allows remote attackers to execute arbitrary SQL commands via the delete method. | ||
| CVE-2018-8967 | Cri | 0.64 | 9.8 | 0.02 | Mar 24, 2018 | An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request. | ||
| CVE-2018-8943 | Cri | 0.64 | 9.8 | 0.01 | Mar 22, 2018 | There is a SQL injection in the PHPSHE 1.6 userbank parameter. | ||
| CVE-2018-7269 | — | Cri | 0.64 | 9.8 | 0.01 | Mar 21, 2018 | The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input. | |
| CVE-2014-2652 | Cri | 0.64 | 9.8 | 0.01 | Mar 19, 2018 | SQL injection vulnerability in OpenScape Deployment Service (DLS) before 6.x and 7.x before R1.11.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2018-7033 | Cri | 0.64 | 9.8 | 0.02 | Mar 15, 2018 | SchedMD Slurm before 17.02.10 and 17.11.x before 17.11.5 allows SQL Injection attacks against SlurmDBD. | ||
| CVE-2018-1000131 | Cri | 0.64 | 9.8 | 0.02 | Mar 14, 2018 | Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be… | ||
| CVE-2018-7732 | Cri | 0.64 | 9.8 | 0.01 | Mar 6, 2018 | An issue was discovered in YxtCMF 3.1. SQL Injection exists in ShitiController.class.php via the ids array parameter to exam/shiti/delshiti.html. |
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in PbootCMS v1.0.9. There is a SQL Injection that can get important information from the database via the \apps\home\controller\ParserController.php scode parameter.
- risk 0.64cvss 9.8epss 0.02
PHP remote file inclusion vulnerability in public/patch/patch.php in Project Pier 0.8.8 and earlier allows remote attackers to execute arbitrary commands or SQL statements via the id parameter.
- risk 0.64cvss 9.8epss 0.01
PHPRAP 1.0.4 through 1.0.8 has SQL Injection via the application/home/controller/project.php search() function.
- risk 0.64cvss 9.8epss 0.01
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter.
- risk 0.64cvss 9.8epss 0.01
SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of a new story at the pligg/story.php?title= URI.
- risk 0.64cvss 9.8epss 0.01
Adaltech G-Ticket v70 EME104 has SQL Injection via the mobile-loja/mensagem.asp eve_cod parameter.
- risk 0.64cvss 9.8epss 0.01
CliqueMania loja virtual 14 has SQL Injection via the patch/remote.php id parameter in a recomendar action.
- risk 0.64cvss 9.8epss 0.03
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and…
- risk 0.64cvss 9.8epss 0.01
thinkphp 3.1.3 has SQL Injection via the index.php s parameter.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request.
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.
- risk 0.64cvss 9.8epss 0.02
The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then…
- risk 0.64cvss 9.8epss 0.02
**DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the SQLi Api in Android allows remote attackers to execute arbitrary SQL commands via the delete method.
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request.
- risk 0.64cvss 9.8epss 0.01
There is a SQL injection in the PHPSHE 1.6 userbank parameter.
- risk 0.64cvss 9.8epss 0.01
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in OpenScape Deployment Service (DLS) before 6.x and 7.x before R1.11.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.02
SchedMD Slurm before 17.02.10 and 17.11.x before 17.11.5 allows SQL Injection attacks against SlurmDBD.
- risk 0.64cvss 9.8epss 0.02
Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be…
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in YxtCMF 3.1. SQL Injection exists in ShitiController.class.php via the ids array parameter to exam/shiti/delshiti.html.